Can't See Internal Network: ASA 5505

Discussion in 'Cisco' started by Buck Rogers, Jan 19, 2008.

  1. Buck Rogers

    Buck Rogers Guest

    Hello All,

    I have an ASA 5505 conntected at a client and I can access the
    internet with no problem. However, I can't see/peruse their internal
    network. Below is the config. Will you give me a critic of the
    config and a possible explanation why I can't see the internal
    network? I have yet to try VPN.

    Also, this client previously had a Pix 501 and the config needed a
    "isakmp nat-traversal 1200" line in the config. When I put the same
    line in the ASA config, I couldn't access the internet. Without the
    line, I can. Again, will you give me an explanation as to why.

    Any further info needed will be provided.

    Regards,

    Buck


    :
    ASA Version 7.2(3)
    !
    hostname xxxx
    domain-name xxxxxxxx
    enable password EPFuQGl0PmoKEsli encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute ****client is using DYNDNS****
    !
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd 1uciNxnXZFirVGRB encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name xxxxxx
    access-list xxxxx_splitTunnelAcl standard permit any
    access-list xxxxx_splitTunnelAcl_1 standard permit any
    access-list inside_nat0_outbound extended permit ip any 192.168.2.0
    255.255.255.224
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool xxxx 192.168.2.8-192.168.2.17 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
    sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.8-192.168.1.12 inside
    dhcpd dns xxxxxxxxxxxxxxx interface inside
    dhcpd enable inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    group-policy xxxxx internal
    group-policy xxxxx attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value xxxxx_splitTunnelAcl_1
    username xxxxxxxx password HUnPMQd7PYqD/tGX encrypted privilege 0
    username xxxxxxxx attributes
    vpn-group-policy xxxxxx
    username xxxxx password EESlanzMed7BYAKE encrypted privilege 0
    username xxxx attributes
    vpn-group-policy xxxxx
    tunnel-group xxxxx type ipsec-ra
    tunnel-group xxxxxx general-attributes
    address-pool xxxx
    default-group-policy xxxxxx
    tunnel-group xxxxxxx ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:85e7312956b943bf0d0dc233281d5e16
    : end
    [OK]
     
    Buck Rogers, Jan 19, 2008
    #1
    1. Advertisements

  2. Buck Rogers

    Buck Rogers Guest

    Hello All,

    Boy, do I feel dumb!!

    Problem solved.....it was the OS firewall stopping the connections.
    After fixing the settings, all is okay. Sorry for the bandwidth
    disruption.

    However, my question about isakmp nat-traversal is still puzzling me.

    Regards,

    Buck
     
    Buck Rogers, Jan 20, 2008
    #2
    1. Advertisements

  3. Buck Rogers

    Buck Rogers Guest

    This thread is now closed. All problems solved......all problems
    caused by OP error.

    My Bad,

    Buck
     
    Buck Rogers, Jan 21, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.